The California Consumer Privacy Act (CCPA) is a landmark set of state-level consumer privacy regulations and the first of its kind in the United States. The law set off a string of other state-level privacy legislation and, at the time of writing, nine other states have enacted privacy laws, and 10 have active privacy legislation.
Since its passage in 2018 and the start of enforcement in 2020, further revisions and addendums have expanded the power of the CCPA. The California Privacy Rights Act (CPRA) was passed in November 2020 and went into effect in January 2023. The CCPA as amended by CPRA enshrines further provisions and privacy protections for California consumers and establishes the California Privacy Protection Agency (CPPA), a regulatory body focusing on data privacy.
Keeping the laws and their provisions straight is already a difficult task, and their confusingly similar acronyms don’t help. Companies operating in California are seeking clarity about how the recent developments in the state’s data privacy laws will actually impact them, and what effective and satisfactory compliance looks like.
Let’s explore some recent enforcement news from the CPPA’s new Deputy Director of Enforcement and five core components of the revised CCPA that we expect the CPPA (“the Agency,” for clarity’s sake) to enforce moving forward.
What the CPPA Will Do & What It’s Already Done
The California Attorney General was responsible for enforcing the state’s data privacy law when it went into effect in 2020. Privacy enforcement cases weren’t in short supply for the AG, but holding companies accountable for CCPA compliance was just one of their many areas of responsibility.
The Agency, on the other hand, has full administrative power and exclusively exists to interpret the provisions of the CCPA and enforce sanctions and penalties for violations. The starting annual budget of $10 million will be used for hiring, awareness initiatives, and enforcement efforts.
In July 2022, the Agency commenced the formal rulemaking process to propose a set of guidelines consisting of revised regulations, which were approved by California’s Office of Administrative Law (OAL). Many are understandably confused by the Sacramento Superior Court of California’s ruling that issued a one-year delay for these OAL-approved regulations, meaning they won’t go into effect until March 2024.
While the revised regulation enforcement is delayed for a year, the Agency can still enforce the CCPA and CPRA in the meantime.
The reality is that the OAL-approved regulations provide clarity for existing rules, but don’t really create new guidelines or introduce new principles.
To further clarify the Agency’s intentions,
in a public board meeting on July 14, 2023, the CPPA’s new Deputy Director of Enforcement Michael Macko stressed that particular attention will be paid to evaluating how companies are complying with rules relating to privacy notices and policies, the right to delete, and the implementation of consumer requests.
5 Areas of the CCPA We Expect the CPPA To Enforce
Like any comprehensive law, the CCPA is complicated and has a wide range of implications for companies doing business in California.
However, based on the Agency’s revised guidelines, recent statements, and our conversations with data privacy experts, we have a sense of which areas will likely be enforced. Just as importantly, we have suggestions for the steps companies can take to ensure compliance.
Our Official Guide to CCPA dives deeper into these subjects, but if you’re looking for a quick rundown, here are five key enforcement areas to keep top of mind:
1. Privacy Rights
The CCPA establishes rights for consumers and employees to access, delete, and rectify their data. Because businesses must observe these rights and fulfill data subject requests (DSRs), they need to know all systems containing related data. Your privacy team can’t do it alone: Accurate, efficient DSR fulfillment requires cross-functional collaboration across the entire organization.
Businesses must provide consumers and employees with two methods to submit privacy requests and meet specific timelines for (a) confirming receipt of requests and (b) responding to them. More time may be granted if necessary, but communication and transparency with the data subject (requester) is necessary every step of the way.
2. Clear Disclosure Practices
Whenever your business collects personal data, you must inform the consumer about what information you’re collecting, why you’re collecting it, and how you’re using it. Easily understandable privacy policies are important tools for businesses to ensure transparency and clear disclosure practices.
In all disclosure measures, companies also need to avoid any perceived manipulation that may invalidate consent, including “dark patterns” and other practices that may unduly influence users.
3. Vendor Contracting Requirements
The CCPA outlines expectations for businesses to have written agreements with vendors, service providers, and other third parties ensuring personal information is used and shared only as instructed. If third parties hire other companies to handle any personal or sensitive information, those entities also must comply with CCPA requirements.
The Agency provides distinct definitions for service providers, contractors, and third parties. Companies should take note of the differences if they do business with any combination of external vendors.
4. Consent & Opt-Outs
Consumers have the right to opt out of the selling or sharing of their data, including data sharing for monetary gain or targeted marketing purposes. The CCPA requires businesses to make the opt-out process easy and understandable via their websites or apps.
Additionally, companies must now respect the Global Privacy Control (GPC) signal, which differs from the original CPRA text offering the option of either the GPC signal or a “do-not-sell” button.
5. Data Security & Minimization
The CCPA requires companies to use reasonable measures like secure storage, encryption, and access controls to protect data from breaches, theft, and unauthorized access. Companies are expected to practice data minimization by collecting only the data necessary to complete business tasks and using it solely for the purposes disclosed to consumers.
Finally, businesses need to uncover and map their internal systems and third-party solutions containing personal data. This is especially important — and difficult — for large companies using many SaaS apps and services across operations and departments. Completely discovering, tracking, and mapping your data landscape is the key to understanding and minimizing related risks and meeting CCPA mandates.
DataGrail Can Help Ensure You’re Ready for What’s Here and What’s Coming
We know these CCPA components are complex and likely overlap with several aspects of your organization’s operations and practices. If you’re looking for recommended action items to begin addressing anticipated enforcement areas, check out our Official Guide to CCPA.
We can expect more changes in the future as the Agency continues to develop and improve the CCPA’s regulations.
Keeping abreast of data privacy laws lowers business risk, helps build a strong data privacy program, and allows companies to adapt to future changes with little disruption and honor consumer concerns central to today’s privacy trends.
DataGrail helps with many of the components that ensure a strong, comprehensive privacy program and support your commitment to data privacy. Head to our website to explore product offerings that assist with data mapping, privacy assessments, and DSR fulfillment automation, or contact us to request a demo and learn how our Privacy Control Center™ can help you.